The Ministry of Electronics and Information Technology (MietY) is deliberating on various aspects of digital personal data and its protection and has formulated a draft bill titled ‘The Digital Personal Data Protection Bill 2022’. The Ministry has invited feedback from the public on the draft Bill. The submissions will not be disclosed and held in a fiduciary capacity, to enable people submitting feedback to provide the same freely. The government has said no public disclosure of the submissions will be made.
According to a press release, the purpose of the draft Bill is to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process personal data for lawful purposes and matters connected therewith or incidental thereto. The draft Bill employs plain and simple language to facilitate ease of understanding and is available on the Ministry’s website along with an explanatory note that provides a brief overview of its provisions.
There are presently over 760 million active Internet users and over the next coming years, this is expected to touch 1.2 billion. There is an increasing need to regulate content and data collection on the Internet.
The Digital Personal Data Protection Bill frames out the rights and duties of the citizen (Digital Nagrik) on one hand and the obligations to use collected data lawfully of the Data Fiduciary on the other. The bill is based on seven principles around the Data Economy.
The first principle is that usage of personal data by organisations must be done in a manner that is lawful, fair, and transparent. The second principle of purpose limitation is that the personal data is used for the purposes for which it was collected.
The third principle of data minimisation is that only those items of personal data required for attaining a specific purpose must be collected. The fourth principle of the accuracy of personal data is that a reasonable effort must be made to ensure that the personal data of the individual is accurate and kept up to date. The fifth principle of storage limitation is that personal data is not stored perpetually by default. The storage should be limited to such duration as is necessary for the stated purpose for which personal data was collected.
The sixth principle is that reasonable safeguards are taken to ensure that there is no unauthorised collection or processing of personal data. This is intended to prevent a personal data breach. The seventh principle is that the person who decides the purpose and means of the processing of personal data should be accountable for such processing.
The Bill will establish a comprehensive legal framework governing digital personal data protection in the country. The Bill provides for the processing of digital personal data in a manner that recognises the right of individuals to protect their personal data, societal rights, and the need to process personal data for lawful purposes.